HOWTO: Unlock A LUKS Encrypted Root Partition Via SSH On Ubuntu

Author: Stephan Jau
Revision: v1.0
Last Change: June 15 2008

Introduction

Fully encrypted systems prevent others from getting your data from physical access. The rationale behind the encryption of a complete system is that you don't have worry about what you encrypt and what not, because everything (except for the /boot) partition will be encrypted.

However the problem I have encountered so far is, how could I reboot my computer from afar? I would be required to be in front of the computer and enter the password. I have wondered this far how I could reboot the computer remotely.

On Debian Administrator I found then an article written by Wulf (Wolfram Coulmann) in which he creates an initrd with dropbear as lightweight ssh server and an unlock script. However that script has still a few bugs and is not suited for Ubuntu. In the comments however, there are a few modifications (especially comment #31 and #29) which will make it also work on ubuntu.

Step 0: Enable root login

First, you have to enable the root account.

sudo passwd root

The reason why I say that root must be enabled is, because I couldn't work out how to get the whole sudo permission stuff into the initrd. I'm sure there must be a way and if someone is willing to take up the challenge, please go ahead. However you can enable root login only during the creation of the initrd. Once it's created then the according stuff is saved in there and you can remove root login from the actual installation again. The root login is only required to log into dropbear and then run the unlock script. It's not used for anything else.

Step 1: Install required packages

Install those packages:

sudo apt-get install psmisc busybox dropbear

Step 2: Configure network

In the script change the network configuration to your needs. I have sofar only used static ips. The script itself provides also option for dhcp - however I did not try those.

Don't copy my example directly but use yours. That way the root hd entry and the mapper name are correct.

Finally, at the top of the menu.lst also change the default boot entry accordingly. If you have 7 kernel entries, then you will put a "6" there because it starts with 0 and you add the netboot one at the bottom.

Step 6: Delete the dropbear script in the hooks folder

When I tried it on my machine, after a kernel upgrade there were some problems (which may have resulted from my earlier tries with a buggy script). Just to make sure, delete the dropbear script from the folder.

sudo rm /etc/initramfs-tools/hooks/dropbear

Step 7: Profit!

That's it... it should be working now.

A few things to mention

- Well, in the script I currently call a ifconfig after the network configuration. I did that for bugtracing. You can of course delete that from the script.

- After you have now created the netboot initrd you can either change the root password again or disable root login. As the initrd is not encrypted it is possible to get the hash of the root password and so you want to use a different one from remote unlocking the crypto drives. I highly recommend changing the password or disabling root login in the actual machine.

Change root password

sudo passwd root

or delete the root password (disable root)

sudo passwd -l root

- Although the system is fully encrypted, there are still two possible attacks left to gain access to the data:

(1) ColdBoot Attack by reading the crypto password from the ram blocks (not much you can't do against that without special hardware, see here)

(2) The created initrd can be manipulated so that it logs the crypto password somewhere. As /boot is not encrypted an attacker may gain this way the password for the LUKS-devices. You could, to prevent that, make a bootable cd with the according kernels and initrds and implement some kind of hash check... maybe there are other methods... feedback is welcomed here.

- Most of this tutorial is not from me, just a few adapations and explanations. So thanks goes to Wolfram Coulmann and the others who modified the original script.

I'm having issues getting this working on Ubuntu Lucid 10.04 Server. I get to the point where dropbear ssh runs and it asks for a password, but it does not accept it. I've tried my user and root. Can you write up a how to for Lucid Server?

remove the "quiet splash" after the file system, or I changed mine to "ro quiet nosplash vga=790" I assume removing it works too

That one option cost me about 1 1/2 hours because the system just boots up normal and it seems like you did something wrong, when actually it is working but GDM (I think) has started before the ssh server can so you have to enter in the password locally.

Using patched mkinitrd won't boot because raidautorun is started from /bin/unlock script what is obviously wrong, because raidautorun is internal command for nash.

there are two obvious solutions for this:1. edit script to emit raidautorun statement to /init script ( nash will interpret it ) - my solution

2. use busybox version where is raidautorun compiled in + add symlink to bin under raidautorun - this won't work, raidautodetect called from busybox is unable to detect raid volume. Calling raidautodetect as nash command will detect it. ( dont add any raidautorun to /bin - it will override nash internal command )

sometimes busybox is missing library, it is good idea to browse dependencies for busybox in mkinitrd as it does for other tools

Since Ubuntu 10.04 the above script will no longer work. The feature to unlock a root partition via ssh has been integrated into the distribution. If there is a LUKS encrypted root partition, then there will automatically be a dropbear ssh server and a busybox running, and the network is set up using DHCP.

By default, you can connect to the SSH server as root using the private key in the file /etc/initramfs-tools/root/.ssh/id_rsaThe root partition can be unlocked by issuing the command:echo -n "Passphrase" > /lib/cryptsetup/passfifo... if there wasn't the new boot screen plymouth that was introduced with 10.04

The following script is a major modification of the above. Like the original, it will allow you to connect via ssh and unlock the filesystem by simply typing unlock. Additionally, you can use private key, password-based authentication or both. Just follow the instructions at the top (tested with Ubuntu 10.10 server, should work with 10.04 as well):

I am observing problem with the script in the manual with latest ubuntu server (11.04). I am getting to the point that i can successfully login into the dropbear service, but the command unlock is giving me the error that in can not load modprobe.

I have tried to reboot and then enter :

echo -n "Passphrase" > /lib/cryptsetup/passfifo

but this is not returning enything.

Can someone post en example of unlocking the system. Or at least the procedure how it should look like so we can compare what is wrong.